Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: w32 element trojan

  1. #1
    Junior Member
    Join Date
    Feb 2006
    Posts
    7

    Default w32 element trojan

    Hello to all
    I'm new here so hope I am posting this in the right spot.

    I recently have had problems with Win XP Home freezing and shutting down on me, and it got to the stage where Windows didnt start.

    I was finally able to run check disk, and then Avast anti virus which didn't detect anything, however when I ran spybot it came up with w32 element trojan worm as part of a desktop shortcut to a Shockwave game Zuma.

    After allowing Spybot to remove the shortcut, I created a new shortcut and when I ran Spybot the Trojan was back, so again I allowed it to be fixed and did not create a new shortcut.

    The next time I ran Spybot the Trojan was attached itself to the Spybot shortcut on the desktop and so I allowed SpyBot to remove the shortcut. After all this I re-ran Spybot to find it had attacked a different shortcut.

    I dont know if this was the cause of the windows problem as xp is now running ok most of the time but I am unable to get rid of this Element Trojan.


    So far I have run the following pieces of software, and the only program that detects anything is Spybot.

    * Avast
    * Avg
    * Norton online scan
    * MacFee online scan
    * Ad-aware
    * Ewido
    * Spyware Doctor

    One final thing is that I ran Zuma over the network on a laptop that wasn't doing anything strange and it started doing strange things so I'm left wondering if the software developers have planted a trojan/spyware in their application for some unknown purpose.

    I am hoping someone may be able to tell me if I have a problem or not. If I do have a problem how can I fix it, as this is driving me nuts and any help would be greatly appreciated.
    Last edited by tashi; 2006-02-24 at 07:23. Reason: Moved from False Positives

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello.
    If you have two resident Anti-Virus programs please uninstall one of them.
    http://forums.spybot.info/showthread.php?t=279
    It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other
    • Open SpyBot, check for and get any updates available.
    • Close all browsers, check for problems and fix everything found in red
    • Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
    • Uncheck[ ] do not report disabled or known legitimate Items.
    • uncheck[ ] Include a list of services in report.
    • Uncheck[ ] Include uninstall list in report.
    • Now select (near the top) view report.
    • Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

    Regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Feb 2006
    Posts
    7

    Default w32 element trojan

    Hello Tashi
    Thank you for a quick response

    Maybe I didnt explain this problem very well. I don't usually run more than one anti virus the ones apart from Avast were only run to try and find where the trojan is coming from.

    To give you more of what is going on I followed your instructions (hope I got it all right ) then allowed spybot to remove the infected shortcut icon which is the repair method, then organised the report to send to you, then I ran Spybot again,a time delay of less than 30 minutes,and the element trojan was again detected in another shortcut on the desktop.

    Spybot is the only program of all those I ran to detect this bug which seems to move straight to another shortcut when fixed by Spybot.

    Thanks again for your help I just hope you can find the root of this problem

    Po

    ps ;this wont all fit in one post so I will have to try 2 replies


    --- Search result list ---
    Element: Autostart file (File, fixed)
    D:\Documents and Settings\ViPo.KG2\Desktop\Shortcut to project1.exe.lnk


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2006-01-18 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2006-02-24 Includes\Cookies.sbi (*)
    2006-02-24 Includes\Dialer.sbi (*)
    2006-02-24 Includes\Hijackers.sbi (*)
    2006-02-24 Includes\Keyloggers.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2006-02-24 Includes\Malware.sbi (*)
    2006-02-24 Includes\PUPS.sbi (*)
    2006-02-24 Includes\Revision.sbi (*)
    2006-02-24 Includes\Security.sbi (*)
    2006-02-24 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2006-02-24 Includes\Trojans.sbi (*)



    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / Windows XP / SP3: Windows XP Hotfix - KB873339
    / Windows XP / SP3: Windows XP Hotfix - KB885250
    / Windows XP / SP3: Windows XP Hotfix - KB885835
    / Windows XP / SP3: Windows XP Hotfix - KB885836
    / Windows XP / SP3: Windows XP Hotfix - KB886185
    / Windows XP / SP3: Windows XP Hotfix - KB887472
    / Windows XP / SP3: Windows XP Hotfix - KB887742
    / Windows XP / SP3: Windows XP Hotfix - KB888113
    / Windows XP / SP3: Windows XP Hotfix - KB888302
    / Windows XP / SP3: Security Update for Windows XP (KB890046)
    / Windows XP / SP3: Windows XP Hotfix - KB890859
    / Windows XP / SP3: Windows XP Hotfix - KB891781
    / Windows XP / SP3: Security Update for Windows XP (KB893066)
    / Windows XP / SP3: Security Update for Windows XP (KB893756)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Update for Windows XP (KB894391)
    / Windows XP / SP3: Security Update for Windows XP (KB896358)
    / Windows XP / SP3: Security Update for Windows XP (KB896422)
    / Windows XP / SP3: Security Update for Windows XP (KB896423)
    / Windows XP / SP3: Security Update for Windows XP (KB896424)
    / Windows XP / SP3: Security Update for Windows XP (KB896428)
    / Windows XP / SP3: Security Update for Windows XP (KB896688)
    / Windows XP / SP3: Update for Windows XP (KB898461)
    / Windows XP / SP3: Security Update for Windows XP (KB899587)
    / Windows XP / SP3: Security Update for Windows XP (KB899591)
    / Windows XP / SP3: Security Update for Windows XP (KB900725)
    / Windows XP / SP3: Security Update for Windows XP (KB901017)
    / Windows XP / SP3: Security Update for Windows XP (KB901214)
    / Windows XP / SP3: Security Update for Windows XP (KB902400)
    / Windows XP / SP3: Security Update for Windows XP (KB904706)
    / Windows XP / SP3: Security Update for Windows XP (KB905414)
    / Windows XP / SP3: Security Update for Windows XP (KB905749)
    / Windows XP / SP3: Security Update for Windows XP (KB905915)
    / Windows XP / SP3: Security Update for Windows XP (KB908519)
    / Windows XP / SP3: Update for Windows XP (KB910437)
    / Windows XP / SP3: Security Update for Windows XP (KB911927)
    / Windows XP / SP3: Security Update for Windows XP (KB912919)
    / Windows XP / SP3: Security Update for Windows XP (KB913446)


    --- Startup entries list ---
    Located: HK_LM:Run, avast!
    command: D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    file: D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    size: 102448
    MD5: 9eb989d83225f2e6d9ecfdccdd0db0ca

    Located: HK_LM:Run, KernelFaultCheck
    command: %systemroot%\system32\dumprep 0 -k
    file: D:\WINDOWS\system32\dumprep.exe
    size: 10752
    MD5: 13922eb54890c77005268882629a31fe

    Located: HK_LM:Run, Lexmark X1100 Series
    command: "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    file: D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    size: 57344
    MD5: 8e7939d19e49d071110d780bf1edec21

    Located: HK_LM:Run, NeroFilterCheck
    command: D:\WINDOWS\system32\NeroCheck.exe
    file: D:\WINDOWS\system32\NeroCheck.exe
    size: 155648
    MD5: 3e4c03cefad8de135263236b61a49c90

    Located: HK_LM:Run, SoundMan
    command: SOUNDMAN.EXE
    file: D:\WINDOWS\SOUNDMAN.EXE
    size: 77824
    MD5: 0a66d1ca518e5f32a18310a74e20ad4a

    Located: HK_LM:Run, Startup Cleaner
    command: D:\Program Files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe
    file: D:\Program Files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe
    size: 114688
    MD5: 5d7631df1d7bed347edda97b69f46a42

    Located: HK_LM:Run, vsc32cnf.exe
    command: D:\Program Files\Roland\VSC32\vsc32cnf.exe
    file: D:\Program Files\Roland\VSC32\vsc32cnf.exe
    size: 36864
    MD5: 939e091564a2d1df9fc185909e0e0592

    Located: HK_LM:Run, vscvol.exe
    command: D:\Program Files\Roland\VSC32\vscvol.exe
    file: D:\Program Files\Roland\VSC32\vscvol.exe
    size: 36864
    MD5: bb15e7ac61895a9d9aa107a3be5f1612

    Located: HK_CU:Run, CTFMON.EXE
    command: D:\WINDOWS\system32\ctfmon.exe
    file: D:\WINDOWS\system32\ctfmon.exe
    size: 15360
    MD5: 24232996a38c0b0cf151c2140ae29fc8

    Located: HK_CU:Run, Spyware Doctor
    command: "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    file: D:\Program Files\Spyware Doctor\swdoctor.exe
    size: 1992928
    MD5: 77e67d0857b21573c1a79c05c9c761f3

    Located: HK_CU:Run, Yahoo! Pager
    command: "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    file: D:\Program Files\Yahoo!\Messenger\ypager.exe
    size: 3084288
    MD5: 1374e98301bd093b60f93623c313dea2

    Located: Startup (common), AudiMax Dual.lnk
    command: D:\Program Files\Mediatek\AudiMax Dual\AudiMaxDual.exe
    file: D:\Program Files\Mediatek\AudiMax Dual\AudiMaxDual.exe
    size: 1384448
    MD5: 5132d4d5ca2286694ce82c1467737a01

    Located: System.ini, crypt32chain
    command: crypt32.dll
    file: crypt32.dll

    Located: System.ini, cryptnet
    command: cryptnet.dll
    file: cryptnet.dll

    Located: System.ini, cscdll
    command: cscdll.dll
    file: cscdll.dll

    Located: System.ini, ScCertProp
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, Schedule
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, sclgntfy
    command: sclgntfy.dll
    file: sclgntfy.dll

    Located: System.ini, SensLogn
    command: WlNotify.dll
    file: WlNotify.dll

    Located: System.ini, termsrv
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, wlballoon
    command: wlnotify.dll
    file: wlnotify.dll



    --- Browser helper object list ---
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    BHO name:
    CLSID name: AcroIEHlprObj Class
    description: Adobe Acrobat reader
    classification: Legitimate
    known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
    info link: http://www.adobe.com/products/acrobat/readstep2.html
    info source: TonyKlein
    Path: D:\Program Files\Adobe\Acrobat 7.0\ActiveX\
    Long name: AcroIEHelper.dll
    Short name: ACROIE~1.DLL
    Date (created): 14/12/2004 1:56:50 AM
    Date (last access): 25/02/2006 2:15:24 PM
    Date (last write): 24/09/2005 3:12:08 PM
    Filesize: 63136
    Attributes: archive
    MD5: B61D5D651ECC6055C29BF826CA7B1141
    CRC32: FEF15799
    Version: 7.0.5.172

    {53707962-6F74-2D53-2644-206D7942484F} ()
    BHO name:
    CLSID name:
    description: Spybot-S&D IE Browser plugin
    classification: Legitimate
    known filename: SDhelper.dll
    info link: http://spybot.eon.net.au/
    info source: Patrick M. Kolla
    Path: D:\PROGRA~1\SPYBOT~1\
    Long name: SDHelper.dll
    Short name:
    Date (created): 12/05/2004 1:03:00 AM
    Date (last access): 25/02/2006 2:15:24 PM
    Date (last write): 31/05/2005 1:04:00 AM
    Filesize: 853672
    Attributes: archive
    MD5: 250D787A5712D7768DDC133B3E477759
    CRC32: D4589A41
    Version: 1.4.0.0

    {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
    BHO name:
    CLSID name: PCTools Site Guard
    Path: D:\PROGRA~1\SPYWAR~1\tools\
    Long name: iesdsg.dll
    Short name:
    Date (created): 21/02/2006 8:14:10 PM
    Date (last access): 25/02/2006 2:15:26 PM
    Date (last write): 9/12/2005 4:22:26 PM
    Filesize: 786656
    Attributes: archive
    MD5: 5687E0824D86BCD741FF316B2AAEC223
    CRC32: A1216E9B
    Version: 3.5.0.65

    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    BHO name:
    CLSID name: SSVHelper Class
    Path: D:\Program Files\Java\jre1.5.0_06\bin\
    Long name: ssv.dll
    Short name:
    Date (created): 10/11/2005 1:03:56 PM
    Date (last access): 25/02/2006 2:15:26 PM
    Date (last write): 10/11/2005 1:22:10 PM
    Filesize: 184423
    Attributes: archive
    MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
    CRC32: 0111B892
    Version: 5.0.60.5

    {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
    BHO name:
    CLSID name: PCTools Browser Monitor
    Path: D:\PROGRA~1\SPYWAR~1\tools\
    Long name: iesdpb.dll
    Short name:
    Date (created): 21/02/2006 8:14:10 PM
    Date (last access): 25/02/2006 2:15:26 PM
    Date (last write): 6/02/2006 2:51:34 PM
    Filesize: 848048
    Attributes: archive
    MD5: 3C209CE58A314E58C3FA8DEF364AE4CD
    CRC32: C0E40DE6
    Version: 3.5.0.277



    --- ActiveX list ---
    {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
    DPF name:
    CLSID name: Shockwave ActiveX Control
    Installer:
    Codebase: http://download.macromedia.com/pub/s...irector/sw.cab
    description: Macromedia ShockWave Flash Player 7
    classification: Legitimate
    known filename: SWDIR.DLL
    info link:
    info source: Patrick M. Kolla
    Path: D:\WINDOWS\system32\Macromed\Director\
    Long name: SwDir.dll
    Short name:
    Date (created): 12/01/2006 7:46:36 PM
    Date (last access): 25/02/2006 2:32:10 PM
    Date (last write): 19/12/2005 4:05:56 PM
    Filesize: 54976
    Attributes: archive
    MD5: 9EDA5BB8F38D6A1235D93F1A81971928
    CRC32: 702383B9
    Version: 10.1.0.11

    {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
    DPF name:
    CLSID name: Symantec AntiVirus scanner
    Installer: D:\WINDOWS\Downloaded Program Files\avsniff.inf
    Codebase: http://security.symantec.com/sscv6/S...in/AvSniff.cab
    description: Symantec online scanner
    classification: Legitimate
    known filename: AVSNIFF.DLL
    info link:
    info source: Patrick M. Kolla
    Path: D:\WINDOWS\Downloaded Program Files\
    Long name: avsniff.dll
    Short name:
    Date (created): 22/02/2006 1:14:22 PM
    Date (last access): 25/02/2006 2:12:28 PM
    Date (last write): 22/02/2006 1:14:22 PM
    Filesize: 231072
    Attributes: archive
    MD5: F973B8D3F793FF725DFB7DBF8F541EB4
    CRC32: 1C3FBDE3
    Version: 2006.2.22.58

    {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object)
    DPF name:
    CLSID name: CPlayFirstTriJinxControl Object
    Installer:
    Codebase: http://download.games.yahoo.com/game...x.1.0.0.55.cab
    Path:
    Long name: (value not set)

    {4B48D5DF-9021-45F7-A240-60304302A215} (Malicious Software Removal Tool)
    DPF name:
    CLSID name: Malicious Software Removal Tool
    Installer:
    Codebase: http://download.microsoft.com/downlo...WebCleaner.cab
    description:
    classification: Legitimate
    known filename: WebCleaner.dll
    info link:
    info source: Safer Networking Ltd.
    Path:
    Long name: (value not set)

    {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
    DPF name:
    CLSID name: Symantec RuFSI Utility Class
    Installer: D:\WINDOWS\Downloaded Program Files\CabSA.inf
    Codebase: http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    description:
    classification: Legitimate
    known filename: rufsi.dll
    info link:
    info source: Safer Networking Ltd.
    Path: D:\WINDOWS\Downloaded Program Files\
    Long name: rufsi.dll
    Short name:
    Date (created): 22/02/2006 1:14:52 PM
    Date (last access): 25/02/2006 2:12:28 PM
    Date (last write): 22/02/2006 1:14:52 PM
    Filesize: 161480
    Attributes: archive
    MD5: 7C20EAAD0E25468E0DE0236B71E35327
    CRC32: 87F73BD9
    Version: 2006.2.15.43

    {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
    DPF name: Java Runtime Environment 1.5.0
    CLSID name: Java Plug-in 1.5.0_06
    Installer:
    Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
    description: Sun Java
    classification: Legitimate
    known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
    info link:
    info source: Patrick M. Kolla
    Path: D:\Program Files\Java\jre1.5.0_06\bin\
    Long name: NPJPI150_06.dll
    Short name: NPJPI1~1.DLL
    Date (created): 10/11/2005 1:03:56 PM
    Date (last access): 25/02/2006 2:32:10 PM
    Date (last write): 10/11/2005 1:22:10 PM
    Filesize: 69746
    Attributes: archive
    MD5: D2CF6BB5E9020E6707B62575F8083954
    CRC32: 7F39DC54
    Version: 5.0.60.5

  4. #4
    Junior Member
    Join Date
    Feb 2006
    Posts
    7

    Default 2nd half

    {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
    DPF name:
    CLSID name: MsnMessengerSetupDownloadControl Class
    Installer:
    Codebase: http://messenger.msn.com/download/Ms...Downloader.cab
    description:
    classification: Legitimate
    known filename: MsnMessengerSetupDownloader.ocx
    info link:
    info source: Safer Networking Ltd.
    Path:
    Long name: (value not set)

    {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
    DPF name: Java Runtime Environment 1.5.0
    CLSID name: Java Plug-in 1.5.0_06
    Installer:
    Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
    Path: D:\Program Files\Java\jre1.5.0_06\bin\
    Long name: NPJPI150_06.dll
    Short name: NPJPI1~1.DLL
    Date (created): 10/11/2005 1:03:56 PM
    Date (last access): 25/02/2006 2:32:10 PM
    Date (last write): 10/11/2005 1:22:10 PM
    Filesize: 69746
    Attributes: archive
    MD5: D2CF6BB5E9020E6707B62575F8083954
    CRC32: 7F39DC54
    Version: 5.0.60.5

    {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
    DPF name: Java Runtime Environment 1.5.0
    CLSID name: Java Plug-in 1.5.0_06
    Installer:
    Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
    Path: D:\Program Files\Java\jre1.5.0_06\bin\
    Long name: NPJPI150_06.dll
    Short name: NPJPI1~1.DLL
    Date (created): 10/11/2005 1:03:56 PM
    Date (last access): 25/02/2006 2:32:10 PM
    Date (last write): 10/11/2005 1:22:10 PM
    Filesize: 69746
    Attributes: archive
    MD5: D2CF6BB5E9020E6707B62575F8083954
    CRC32: 7F39DC54
    Version: 5.0.60.5

    {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
    DPF name:
    CLSID name: Shockwave Flash Object
    Installer:
    Codebase: http://download.macromedia.com/pub/s...sh/swflash.cab
    description: Macromedia Shockwave Flash Player
    classification: Legitimate
    known filename:
    info link:
    info source: Patrick M. Kolla
    Path: D:\WINDOWS\system32\Macromed\Flash\
    Long name: Flash8.ocx
    Short name:
    Date (created): 27/08/2005 1:38:56 PM
    Date (last access): 25/02/2006 2:32:10 PM
    Date (last write): 27/08/2005 1:38:56 PM
    Filesize: 1435272
    Attributes: archive
    MD5: 900373C059C2B51CA91BF110DBDECB33
    CRC32: F19599BC
    Version: 8.0.22.0

    {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
    DPF name:
    CLSID name: PopCapLoader Object
    Installer: D:\WINDOWS\Downloaded Program Files\popcaploader.inf
    Codebase: http://download.games.yahoo.com/game...ploader_v6.cab
    description:
    classification: Open for discussion
    known filename: POPCAPLOADER.DLL
    info link:
    info source: Safer Networking Ltd.
    Path: D:\WINDOWS\Downloaded Program Files\
    Long name: popcaploader.dll
    Short name: POPCAP~1.DLL
    Date (created): 26/08/2004 12:12:00 PM
    Date (last access): 25/02/2006 2:12:28 PM
    Date (last write): 26/08/2004 12:12:00 PM
    Filesize: 126976
    Attributes:
    MD5: 57F868A52B9D4153658DC0DB5062E536
    CRC32: 35357599
    Version: 1.0.0.6

    {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class)
    DPF name:
    CLSID name: McFreeScan Class
    Installer: D:\WINDOWS\Downloaded Program Files\mcfscan.inf
    Codebase: http://download.mcafee.com/molbin/is...03/mcfscan.cab
    description:
    classification: Legitimate
    known filename: mcfscan.dll
    info link:
    info source: Safer Networking Ltd.
    Path: D:\WINDOWS\McAfee.com\FreeScan\
    Long name: mcfscan.dll
    Short name:
    Date (created): 22/02/2006 9:50:32 AM
    Date (last access): 25/02/2006 2:32:10 PM
    Date (last write): 22/02/2006 9:50:32 AM
    Filesize: 116288
    Attributes: archive
    MD5: D4E31BADBA19D51C9D6F0174D51E4793
    CRC32: B6EC6A2D
    Version: 2.1.0.4703



    --- Process list ---
    PID: 0 ( 0) [System]
    PID: 712 ( 4) \SystemRoot\System32\smss.exe
    PID: 888 ( 712) \??\D:\WINDOWS\system32\csrss.exe
    PID: 912 ( 712) \??\D:\WINDOWS\system32\winlogon.exe
    PID: 976 ( 912) D:\WINDOWS\system32\services.exe
    size: 108032
    MD5: C6CE6EEC82F187615D1002BB3BB50ED4
    PID: 988 ( 912) D:\WINDOWS\system32\lsass.exe
    size: 13312
    MD5: 84885F9B82F4D55C6146EBF6065D75D2
    PID: 1184 ( 976) D:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1280 ( 976) D:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1392 ( 976) D:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1448 ( 976) D:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1596 ( 976) D:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 124 ( 976) D:\WINDOWS\system32\LEXBCES.EXE
    size: 303104
    MD5: 027D03D9D8AB95194A115A999E960AC0
    PID: 176 ( 976) D:\WINDOWS\system32\spoolsv.exe
    size: 57856
    MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
    PID: 144 ( 124) D:\WINDOWS\system32\LEXPPS.EXE
    size: 174592
    MD5: 8D836E60877ED79C409712B9BE2DFC3B
    PID: 388 ( 316) D:\WINDOWS\Explorer.EXE
    size: 1032192
    MD5: A0732187050030AE399B241436565E64
    PID: 1424 ( 388) D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    size: 57344
    MD5: 8E7939D19E49D071110D780BF1EDEC21
    PID: 1508 ( 388) D:\WINDOWS\SOUNDMAN.EXE
    size: 77824
    MD5: 0A66D1CA518E5F32A18310A74E20AD4A
    PID: 1548 ( 388) D:\Program Files\Roland\VSC32\vsc32cnf.exe
    size: 36864
    MD5: 939E091564A2D1DF9FC185909E0E0592
    PID: 1564 ( 388) D:\Program Files\Roland\VSC32\vscvol.exe
    size: 36864
    MD5: BB15E7AC61895A9D9AA107A3BE5F1612
    PID: 1680 ( 388) D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    size: 102448
    MD5: 9EB989D83225F2E6D9ECFDCCDD0DB0CA
    PID: 1696 (1424) D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    size: 53248
    MD5: 9C2991D06E1F40ADBDED988B013828C8
    PID: 1716 ( 388) D:\WINDOWS\system32\ctfmon.exe
    size: 15360
    MD5: 24232996A38C0B0CF151C2140AE29FC8
    PID: 1744 ( 388) D:\Program Files\Spyware Doctor\swdoctor.exe
    size: 1992928
    MD5: 77E67D0857B21573C1A79C05C9C761F3
    PID: 1760 ( 388) D:\Program Files\Mediatek\AudiMax Dual\AudiMaxDual.exe
    size: 1384448
    MD5: 5132D4D5CA2286694CE82C1467737A01
    PID: 1884 (1728) D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    size: 90112
    MD5: BED117A8BAB5D2C85D50E44F8E90705C
    PID: 484 ( 976) D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    size: 53248
    MD5: 435D862E96FE19612093177CF6618F4E
    PID: 492 ( 976) D:\Program Files\Alwil Software\Avast4\ashServ.exe
    size: 102448
    MD5: 0839B8BFDF17DAC8C9B083009768400E
    PID: 564 ( 976) D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
    size: 159744
    MD5: 72AB5A8F5C69FBFA346DBC551E92069C
    PID: 596 ( 976) D:\Program Files\ewido anti-malware\ewidoctrl.exe
    size: 13888
    MD5: 26830B750372AB1BF29C95DEEBEB802F
    PID: 624 ( 976) D:\Program Files\ewido anti-malware\ewidoguard.exe
    size: 151616
    MD5: 34A50717AD686900F078F5208F8E908E
    PID: 840 ( 976) D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    size: 1368064
    MD5: 37F2DECEBEDC9179A149CC40968CDF5A
    PID: 1204 ( 976) D:\Program Files\Spyware Doctor\sdhelp.exe
    size: 870624
    MD5: 186EE3B89521257C480E55063A91DE77
    PID: 1724 ( 840) D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    size: 2617344
    MD5: 34D8182F75D145FD5C1B0384400E588B
    PID: 1348 ( 976) D:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 3312 ( 976) D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    size: 241712
    MD5: A7A61A9FFE49102C0ECDC259C915BDB9
    PID: 3536 ( 840) D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    size: 2617344
    MD5: 34D8182F75D145FD5C1B0384400E588B
    PID: 3580 ( 976) D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    size: 364592
    MD5: 1E898FA5EA0C8CB3BF053997516BB2C0
    PID: 720 ( 976) D:\WINDOWS\System32\alg.exe
    size: 44544
    MD5: F1958FBF86D5C004CF19A5951A9514B7
    PID: 1788 ( 388) D:\Program Files\Winamp3\Studio.exe
    size: 62240
    MD5: 2EAE2A97F7575289C8BEA9D22AAA767E
    PID: 2388 ( 388) D:\Program Files\Windows NT\Accessories\wordpad.exe
    size: 214528
    MD5: F0543ACEEB5CD8821469958C9F3DD9A4
    PID: 1104 ( 388) D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    size: 4393096
    MD5: 09CA174A605B480318731E691DC98539
    PID: 4 ( 0) System


    --- Browser start & search pages list ---
    Spybot - Search & Destroy browser pages report, 25/02/2006 2:43:19 PM

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    about:blank
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    %SystemRoot%\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


    --- Winsock Layered Service Provider list ---
    Protocol 0: MSAFD Tcpip [TCP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 1: MSAFD Tcpip [UDP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 2: MSAFD Tcpip [RAW/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 3: RSVP UDP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 4: RSVP TCP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 5: MSAFD nwlnkipx [IPX]
    GUID: {11058240-BE47-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP Novell Netware UPX protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD nwlnkipx *

    Protocol 6: MSAFD nwlnkspx [SPX]
    GUID: {11058241-BE47-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD nwlnkspx *

    Protocol 7: MSAFD nwlnkspx [SPX] [Pseudo Stream]
    GUID: {11058241-BE47-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD nwlnkspx *

    Protocol 8: MSAFD nwlnkspx [SPX II]
    GUID: {11058241-BE47-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD nwlnkspx *

    Protocol 9: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
    GUID: {11058241-BE47-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD nwlnkspx *

    Protocol 10: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 11: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D0BD8BF-FA79-4726-83AB-AEAF7CCF4994}] SEQPACKET 5
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D0BD8BF-FA79-4726-83AB-AEAF7CCF4994}] DATAGRAM 5
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C40029FE-8B4D-4223-839E-3628C16A26C5}] SEQPACKET 4
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C40029FE-8B4D-4223-839E-3628C16A26C5}] DATAGRAM 4
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F35A677E-8B46-4966-B556-AAD8C409564F}] SEQPACKET 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F35A677E-8B46-4966-B556-AAD8C409564F}] DATAGRAM 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{02BDAA4A-77ED-4C00-8BFA-27C0EE648E41}] SEQPACKET 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{02BDAA4A-77ED-4C00-8BFA-27C0EE648E41}] DATAGRAM 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0AF14869-9E12-41A9-8321-0251C9EEDA33}] SEQPACKET 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0AF14869-9E12-41A9-8321-0251C9EEDA33}] DATAGRAM 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Namespace Provider 0: Tcpip
    GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: TCP/IP

    Namespace Provider 1: NTDS
    GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\winrnr.dll
    DB protocol: NTDS

    Namespace Provider 2: Network Location Awareness (NLA) Namespace
    GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: NLA-Namespace

    Namespace Provider 3: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
    GUID: {E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\nwprovau.dll
    Description: Microsoft Windows NT/2k/XP Novell Netware name space provider
    DB filename: %SystemRoot%\system32\nwprovau.dll
    DB protocol: NWLink IPX/SPX/NetBIOS*


    Looks like I'm trying to send to much info so I hope it all works out

    Thanks again Po

  5. #5
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    D:\Documents and Settings\ViPo.KG2\Desktop\Shortcut to project1.exe.lnk
    that is a Shockwave game called Zuma ?
    Unfortunate name project1.exe
    We have to show discretion when SpyBot detects shortcuts, meaning if you know it to be a good program ignore it.
    I don't see any malware/spyware in your logs
    If SSD continues to find that or similar item post the Top most part of the log again please.

  6. #6
    Junior Member
    Join Date
    Feb 2006
    Posts
    7

    Default re: w32 element trojan

    Hello LonnyRJones
    Thanks for your reply

    No Project1.exe is not Zuma it is a shortcut to a program written by my son

    It seems I am not explaining properly so I'll try again

    I run Spybot it detects element Spybot details show shortcut as infected file

    I then click fix selected problems

    Spybot then deletes shortcut icon Spybot doesn't only detect shortcut it detects element infection in shortcut

    If I run Spybot again (which I have) it will again detect element again in a totally different shortcut because I dont re-create the deleted shortcut

    That can happen when no programs are running except Windows xp and Spybot

    No other program I have run detects this Trojan

    Hope this explains better
    Thanks again for your help

    Po

  7. #7
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Can we see another SSD report please, just the top part that shows "element" pointing to a differant shortcut, Thanks.

  8. #8
    Junior Member
    Join Date
    Feb 2006
    Posts
    7

    Default

    Hello LonnyRJones

    Thanks for your reply

    This is the info you asked for


    --- Search result list ---
    Element: Autostart file (File, nothing done)
    D:\Documents and Settings\ViPo.KG2\Desktop\Shortcut to Lyndell (Newtop).lnk

    This is a shortcut to a home network laptop computer owned by my daughter

    This is other shortcuts detected as infected by element stored in Spybot recovery folder

    The first Zuma shortcut infection was detected when I was having serious problems with Windows xp

    Zuma, Zuma, Search and Destroy, Solitaire, Zuma, Simplifying Chord Progression, Recolored, Project1.exe

    I haven't deleted the shortcut to Lyndell because she is away from home at the moment so that shortcut will not be used

    Thanks again for taking the time to look into this for me
    Po

  9. #9
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Would you please right click on "Lyndell (Newtop).lnk" and see if it is pointing to the correct program, if not what does it point to ?

    Download and run Silentrunners.Vbs post the log it creates please
    http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
    Wait until there is a All Done message !!, Then open and post the log next to it. Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

  10. #10
    Junior Member
    Join Date
    Feb 2006
    Posts
    7

    Default

    Hello LonnyRJones

    Thanks for your reply

    The right click on this shortcut seems to be ok "Lyndell (Newtop).lnk"

    Thanks again for your interest here

    Po

    "Silent Runners.vbs", revision 43, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
    "Yahoo! Pager" = ""D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet" ["Yahoo! Inc."]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "Lexmark X1100 Series" = ""D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."]
    "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
    "vsc32cnf.exe" = "D:\Program Files\Roland\VSC32\vsc32cnf.exe" ["Roland"]
    "vscvol.exe" = "D:\Program Files\Roland\VSC32\vscvol.exe" ["Roland"]
    "Startup Cleaner" = "D:\Program Files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe" ["CM DiskCleaner"]
    "avast!" = "D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
    "KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k" [MS]
    "NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]
    "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    "{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
    -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\dfshim.dll" [MS]
    "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
    -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\dfshim.dll" [MS]
    "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
    "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


    Default executables:
    --------------------

    .HTA: HKLM\SOFTWARE\Classes\htafile\shell\open\command\
    INFECTION WARNING! "Default" = "NOTEPAD.EXE %1" [MS]


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "D:\Documents and Settings\ViPo.KG2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


    Startup items in "ViPo" & "All Users" startup folders:
    ------------------------------------------------------

    D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
    "AudiMax Dual" -> shortcut to: "D:\Program Files\Mediatek\AudiMax Dual\AudiMaxDual.exe" [empty string]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Explorer Bars

    HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
    {21569614-B795-46B1-85F4-E737A8DC09AD}\ = "Shell Search Band" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
    -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
    "ButtonText" = "Yahoo! Messenger"
    "MenuText" = "Yahoo! Messenger"
    "Exec" = "D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    avast! Antivirus, avast! Antivirus, ""D:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
    avast! iAVS4 Control Service, aswUpdSv, ""D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
    avast! Mail Scanner, avast! Mail Scanner, ""D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
    avast! Web Scanner, avast! Web Scanner, ""D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
    Diskeeper, Diskeeper, ""D:\Program Files\Executive Software\DiskeeperLite\DKService.exe"" ["Executive Software International, Inc."]
    ewido security suite control, ewido security suite control, "D:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
    ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
    LexBce Server, LexBceS, "D:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
    Sunbelt Kerio Personal Firewall 4, KPF4, ""D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe"" ["Sunbelt Software"]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
    use the -supp parameter or answer "No" at the first message box.
    ---------- (total run time: 48 seconds)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •